This is a landmark case to follow. The verdict will have significant global implications for the cyber insurance sector, which is fraught with uncertainty in its present infancy. What do directors need to know, to protect their organisations?
What directors need to know about Mondelez’s $100m cyber insurance claim against Zurich
First, the back story.
On 27th June 2017, a malicious ransomware virus NotPetya wiped data from the computers of banks, energy firms, international conglomerates, senior government officials, and airports(1,2). This caused an unprecedented scale of disruptions to operations and sales worldwide. Lloyd’s of London estimates the damages to be worth $53 billion(3).
Affected international businesses like Fedex, TNT Express, Merck, and Maersk have announced hundreds of millions of dollars in crippling losses(4,5). Among them was Mondelez, the US food company best known for their Oreo and Cadbury brands.
Mondelez reported that the cyberattack had rendered 1,700 servers and 24,000 laptops “permanently dysfunctional”. Furthermore, disrupted shipping and invoicing operations caused them a 3% loss in sales growth during the last four days of Q2(6).
Mondelez was covered for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction” under a property insurance policy with Zurich, and made a claim for $100 million to get things back on track.
Zurich initially agreed to provide an interim payout of $10 million, then decided there will be no payout. Zurich cited that there is an exclusion in Mondelez’s policy for “a hostile or warlike action by a government or sovereign power or people acting for them”, and that the exclusion was in effect as the US and UK governments had “stated” that NotPetya was the Russian military’s doing(7). Zurich’s refusal prompted Mondelez to sue them for $100 million over the cyber insurance claim.
The significance of the Mondelez vs Zurich cyber insurance claim case
Unlike traditional commercial insurance sectors related to physical assets, cyber insurance is relatively new and unchartered. The case of Mondelez vs Zurich demonstrates that both insurance providers and insured parties don’t yet have a clear understanding of how cyber insurance should work.
Until the case is played out through the courts, there will be a measure of uncertainty regarding what can be claimed from cyber insurance.
- What level of onus will be on Zurich to demonstrate they had determined that the event was “warlike action” taken by a State actor?
- Would the opinions of prominent cyber experts, politicians, or media stalwarts suffice? Or do they have such a potential conflict of interest that their opinions must be qualified?
- Can statements from another State actor be trusted? For example, can the FBI/CIA be trusted when it comes to them making statements about Russian intelligence operations?
- Would cyber forensic evidence linked to the alleged perpetrators be required?
- Should one take the evidence at face value, and assume that they are not constructed out of nefarious hidden motives?
If the judge sets the bar too low. Any stakeholder’s expert opinion would be enough to evidence “warlike action”, and no cyber insurance would be worth the paper it’s written on.
If the judge sets the bar too high. Does this mean a state of war needs to be declared and be in progress to evidence “warlike action”? Such an onerous ruling may prompt insurance providers to not offer cyber insurance.
As a company director or board member, how should you approach cyber insurance?
Our pragmatic advice to directors is to start by acknowledging that cyber insurance has a lot of uncertainty around it. What does Mondelez vs Zurich tell us? That until cyber insurance cases work their way through the courts to build up a body of case law over time, you cannot be assured that your organisation can practicably be covered.
It is a brave new world, and until we get case law, directors must still ensure they have cyber insurance. However, it cannot be approached like traditional insurance products where both insurance providers and their clients have certainty of what coverage means.
Does this mean you should buy the minimum coverage on cyber insurance?
No; here is where it gets tricky. Not all insurance brokers fully understand the nuances of cyber insurance coverage yet. Neither would the individuals traditionally tasked with procuring insurances for the organisation.
Blue Zoo has helped hundreds of directors understand the nuances of cyber insurance for their organisations. This includes government entities, private corporations, and for-purpose associations. We help cyber insurance buyers understand what to ask for. And how to mitigate risk around cyber security without sacrificing your organisation’s openness to opportunities and growth.
We welcome directors to explore these issues with Blue Zoo. Let us share further insights and clarity into what is relevant in your organisation.